An algorithm named PTBBWD is presented to detect worms. It is process traffic behavior based and has considered three important behaviors: total amount of source ports in wormlike traffic, changing frequency of source ports in wormlike process traffic and the wormlike traffic proportion of the total process traffic. Unlike similar work before, PTBBWD checks the frequency and the total amount of source ports only when a process is sending wormlike traffic. Experiments using applications in the wild show that PTBBWD can detect worms quickly and correctly with small false positives.
展开▼
